For authentication purposes, passwords are frequently used in information technology. Humans have difficulty in remembering safe passwords. According to a recommendation by the German Federal Office for Information Security (BSI—Bundesamt für Sicherheit in der Informationstechnologie), passwords should be at least 8 characters in length and also include digits and special characters in addition to letters (see reference [1], for example). In addition, one should create a dedicated password for each application. This means that the user has to remember an extensive list of long and complex passwords. Moreover, entering of said passwords on a terminal device by means of a keyboard is very inconvenient and prone to errors.
Password managers (wide-spread systems are shown in references [2], [3], [4] and [5], for example) are software which enables managing many passwords. By means of said software, safe passwords may be automatically created and stored. If a password manager is installed on a PC, the password may be copied to the clipboard and then be inserted into the password dialog. This solution has the disadvantage, for example, that it involves the user logging into a PC so as to access his/her password manager. For example, login into the operating system cannot be performed with the aid of a password manager. To be able to be used, the password manager may be installed. This may be prohibited, e.g., in the event of computers used at the place of work or in the event of internet cafés. Furthermore, one has to trust the device on which the password manager is installed. This is critical in particular with devices the user is not familiar with. Moreover, when using the password manager on different devices, the user may synchronize the list of passwords between all said devices.
In addition, situations may arise wherein the dialog for password entry is not displayed on the same device on which the password manager is installed. This may be the case if a person manages a very large number of devices and does not want to install the password manager on all of them, or if the login performed is into a device the user is not familiar with. To log in here with a password stored within the password manager, the user may have the password displayed to him/her on another device and then manually type the password into the password dialog. This is not only very inconvenient but also represents a significant security loophole since other persons can see the password.
A further possibility of preventing passwords from being displayed in plain text on a device prior to being entered consists in having pairs of a mobile terminal device (e.g. a smartphone) and a software which runs on the device on which a user wants to log in (see reference [6], for example). When a password is needed, the user prompts its mobile terminal device to transmit the password to the software installed for this purpose. Said software receives the data and forwards it to the dialog for login. This prevents the password from being displayed on a screen. This possibility also has considerable disadvantages; for example, the corresponding software may be installed on all devices on which a user wants to log in. Moreover, the user may already have logged into a PC so as to be able to access his/her stored passwords. In addition, for each device on which the system is to be applied, coupling may be performed between the mobile terminal device and that device which prompts login.
A further, currently known possibility provides utilization of specific hardware (see reference [7], for example). To this end, credentials, i.e. pairs of user names and passwords, are stored on a device similar to a USB stick. When a user needs a password, he/she authenticates himself/herself with the special hardware and can read the user name and the password from the display. However, this possibility has the disadvantages that the password is displayed in plain text and is manually entered on the device. The specific hardware comprising a display is expensive and needs to be taken along everywhere.
Furthermore, an input stick (see reference [8], for example) is known which solves many of the known problems. The input stick may pass itself off as a standard keyboard toward a PC. By means of a suitable application on a smartphone, passwords may be managed, selected and then sent to a PC. For the PC, this transmission looks as if the password is sent by a commercial keyboard. Thus, installation of software on the PC is not necessary. However, this solution has the drawback that the passwords are stored on the mobile phone. This represents a considerable security problem even if security mechanisms are employed, for example in that the database of the passwords is encrypted. Since even passwords which are stored in an encrypted manner may be decrypted prior to being sent to the input stick, there is the risk that an attacker may extract said passwords. Since one has observed the trend that the number of attacks onto mobile platforms continuously increases, this represents a considerable security problem.